Data privacy and data security
Customer trust and data security are crucial to everything we do at nooa.
Data privacy and security are the responsibility of the entire company.
Product development is carried out according to the principles of "Data Privacy by Design", "Data Privacy by Default", "Zero Knowledge", data minimisation and the "OWASP".
Through a large number of technical and organisational measures, we guarantee the greatest possible data privacy and security.
Login to nooa is pseudonymised by the nooa ID and protected through the implementation of secure, state-of-the-art password requirements. Instead of storing passwords, we use a secure procedure based on cryptographic hash functions ("Salted Cryptographic Hash"). All accesses and access attempts to nooa are logged and documented, and access to the platform is time-limited via a token.
All data sent to or from nooa is encrypted during transport using 256-bit encryption. Our API and application endpoints are exclusively TLS/SSL encrypted. Mobile devices also communicate with the endpoint in encrypted form.
Permissions for the nooa platform
Within the platform, you can define different permission levels for employees so that only users authorised by you can access certain functionalities and see specific data ("need-to-know principle"). By default, your users are preset to the most secure permission level and can only obtain additional permissions through an action on your part.
Permissions for internal IT systems
We define access rights internally within the framework of a role/permission concept and review these regularly. We monitor critical administrative permission combinations separately ("separation-of-duties"). We assign and regularly check access permissions according to the dual control principle and the principle of least rights assignment ("need-to-know"). At the same time, we use a password manager with a zero-knowledge principle and TLS/SSL encryption in combination with integrated dark web monitoring to ensure that access to cloud services is protected.
nooa uses several internal and third-party tools to monitor its production environment and protect against potential threats or errors:
- Any access to data in IT systems is logged and assigned to individuals.
- An internal notification mechanism alerts nooa's operations and support teams to various anomalies detected in production.
- An internal production monitoring dashboard aggregates information from nooa's various systems and provides nooa's operations staff with a clear overview of the status of the production environment.
- nooa has developed its own regression testing framework and ensures high quality and safety standards through automated testing.
- nooa also operates a support ticketing system that allows administrators and users to report any problems or errors.
Failover and data recovery
nooa was developed with emergency recovery in mind. Our services and data are hosted in Amazon Web Services (AWS) facilities in Germany. The architecture is per se secured against data loss through internal replication mechanisms within the AWS platform. AWS monitors its systems preventively to ensure uninterrupted operation. Critical system components are backed up at multiple, isolated locations ("Availability Zones") designed for independent operation with high reliability.
Database backups of the nooa production system are made regularly and before any major update or configuration change to the production environment. These backups enable a replica environment to be created within a very short time in the event of an emergency. The backups are stored in a different AWS environment and region.
Regular audits and training
Our dedicated infrastructure team is responsible for ensuring that our platform is secure and available at all times. Security audits such as internal penetration testing are conducted regularly and penetration testing by external parties is actively supported. nooa has developed a comprehensive set of security policies covering a range of topics. These policies are regularly updated and communicated to all staff.
Data privacy is an integral part of all our work at nooa. All our systems are built to comply with the latest regulations.
We observe the requirements of proper data processing in accordance with the HIPAA and the EU-GDPR and undertake to strictly maintain confidentiality during processing. When concluding a contract, we also enter into a data processing agreement (DPA) with you, with which we undertake to comply with data privacy.
Privacy by design
Wherever possible, we process anonymised data. We only collect personal data when it is absolutely necessary. Exactly which data is used and why we need it is explained in detail in our DPA.
The entire platform is equipped with data privacy-friendly default settings. This means that the basic settings of the platform are designed in such a way that user data is protected in the best possible way. You can adjust settings in the platform that deviate from the default. This will always be marked as a deviation and provided with warnings.
Data protection officer
We have appointed a competent and reliable person as data protection officer (DPO). This person accompanies changes in internal work processes from a data privacy perspective, points out privacy aspects, and supervises and advises our data management.
Our employees are instructed in the handling of confidential data. All staff contracts contain a confidentiality agreement and written rules for handling sensitive data. We have a policy to ensure compliance with the GDPR, including regular training and awareness-raising measures.
Pro-active privacy management
A data protection impact assessment is carried out before any new project. In this way, we ensure that we are always in control of our risks and have procedures in place to mitigate them. Data privacy audits are carried out regularly by internal and external DPOs.
Data processing in accordance with instructions
We process your data exclusively as contractually agreed. We do not use the data provided for processing for any other purposes, including our own. We do not sell your data to third parties.
Data sharing and transfers
Like most businesses, we use a number of third party providers as part of our data processing, such as cloud and technology services. We have a due diligence process with all of our providers and sub-processors, including DPAs. These DPAs are reviewed by our DPO and must be approved by senior management before they are signed.